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Abstract 

Conditions  are  given  under  which  a  one-way  function 
can  be  used  safely  in  a  programming  language.  The  secu¬ 
rity  proof  involves  showing  that  secrets  cannot  be  leaked 
easily  by  any  program  meeting  the  conditions  unless  break¬ 
ing  the  one-way  function  is  easy.  The  result  is  applied  to  a 
password  system  where  passwords  are  stored  in  a  public  file 
as  images  under  a  one-way  function.  * 


1.  Introduction 

One-way  functions  play  an  important  role  in  security. 
Roughly  speaking,  a  function  /  is  one-way  if  for  all  w, 
it  is  easy  to  compute  f{w)  but  hard  to  hnd  a  z,  given 
f{w),  such  that  / (.2;)  =  f{w).  One-way  functions  come 
in  different  flavors.  Some  are  permutations,  while  others 
are  hash  functions.  They  operate  upon  an  arbitrary-length 
pre-image  message,  producing  what  is  called  a  message  di¬ 
gest.  A  message  digest  may  have  fixed  length.  Examples 
of  hash  functions  include,  MD5,  which  produces  a  128-bit 
digest,  and  SHAl,  which  yields  a  160-bit  digest  [3].  The 
hardness  property  coupled  with  fixed-length  digests  make 
certain  one-way  hash  functions  appealing  for  storing  pass¬ 
words  on  systems  and  creating  pre-images  of  digital  signa¬ 
tures.  The  main  result  of  this  paper  is  independent  of  the 
flavors  of  one-way  functions. 

A  related  property  is  claw-freeness  [2].  A  hash  function 
/  is  said  to  be  claw-free  if  it  is  hard  to  And  a  pair  {x,y), 
where  x  f  y,  such  that  f{x)  =  f{y).  For  a  small  message 
space,  a  hash  function  may  be  one-way  but  fail  to  be  claw- 
free  due  to  a  birthday  attack.  The  basic  idea  is  that  one  can 
significantly  reduce  the  size  of  a  message  space  and  still  ex¬ 
pect  to  And,  with  reasonable  probability,  two  messages  that 
collide.  Whether  this  is  an  issue  depends  on  the  application. 

*To  appear  at  the  13th  IEEE  Computer  Security  Eoundations  Work¬ 
shop,  Cambridge,  England,  3-5  July,  2000. 


This  paper  is  not  concerned  with  the  claw-free  property. 

In  this  paper,  we  are  interested  in  identifying  conditions 
under  which  a  one-way  function  can  be  used  in  a  program¬ 
ming  language  safely  and  with  more  flexibility  than  what 
an  information-flow  property  like  Noninterference  [7]  al¬ 
lows.  For  instance,  a  cryptographic  API  for  a  programming 
language  might  include  MD5.  In  this  case,  the  conditions 
should  make  leaking  a  secret  using  MD5  in  any  program  as 
hard  as  inverting  MD5.  This  is  a  security  property  under 
which  we  justify  downgrading  MD5  message  digests. 

We  start  with  the  definition  of  one-way  functions  from 
[4].  A  function  /  :  E*  — >  E*  is  one-way  if 

1.  |w|  =  \f{w)  \  for  all  w  (/  is  length  preserving), 

2.  /  is  computable  in  polynomial  time,  and 

3.  for  every  probabilistic  polynomial  time  Turing  ma¬ 
chine  M,  every  k,  and  sufficiently  large  n,  if  we  pick 
a  random  w  of  length  n  and  run  M  on  input  f{w), 

Pr[M(f(w))  =  y  where  f(y)  =  f(w)]  <  n“*. 

The  first  and  second  conditions  are  irrelevant  as  far  as  our 
main  result  is  concerned.  The  probability  in  the  third  con¬ 
dition  is  taken  over  the  random  choices  made  by  M  and  the 
random  choice  of  w.  The  third  condition  effectively  merges 
two  properties  that  we  need  to  distinguish  for  the  purpose  of 
constructing  a  security  proof.  One  is  simply  the  likelihood 
that  /  avoids  collisions  with  respect  to  a  given  input  dis¬ 
tribution.  This  property  we  term  collision  resistance.  The 
other  is  purely  a  property  about  inversion  where  the  third 
condition  becomes  Pi[M{f{w))  =  w]  <  n“*.  This  is  the 
one-wayness  property  of  /. 

If  string  w  is  considered  private  (high)  then  we  might  ar¬ 
gue  that  f{w)  could  be  considered  public  (low)  based  on  the 
one-wayness  of  /.  However,  it  is  actually  unsound  to  do  so 
unless  care  is  taken  in  what  we  allow  as  arguments  to  /.  For 
instance,  suppose  /  is  a  one-way  function,  variable  h  stores 
a  A: -bit  password,  and  mask  is  a  low  variable.  Then  consider 
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I  :=  0; 

mask  :=  2*“^; 
while  mask  ^  0  do 

if /(/j)  =/(/*!  mask)  then 
I  :=  I  \  mask] 
mask  :=  mask  1 

Figure  1 .  An  efficient  ieak  of  h 

the  code  in  Figure  1.  It  copies  (leaks)  h  to  low  variable  I 
in  time  linear  in  k.  (It  might  fail  to  copy  every  bit  of  h  be¬ 
cause  of  collisions  but  this  may  be  unlikely  depending  on 
the  collision  resistance  of  /.) 

However,  there  are  practical  examples  of  where  we  need 
to  treat  a  message  digest  as  low.  Consider  a  challenge- 
response  protocol.  A  participant  may  respond  publicly  with 
a  message  digest  computed  over  a  shared  secret  and  a  pub¬ 
lic  challenge  it  receives.  We  want  the  digest  to  be  treated 
as  low.  Another  example  is  password  checking.  If  h  stores 
a  password  then  a  simple  password  checker  is  given  by  the 
assignment 

b  ■■=  (f(h)  =/(r)) 

where  6  is  a  low  output  variable  and  r  is  the  input  to  the 
checker.  We  would  expect  r  and  h  to  be  high  variables. 
After  all,  r  may  match  h,  and  indeed  usually  will.  However, 
the  result  of  comparing  the  message  digests  must  be  low. 

So  we  want  a  set  of  conditions  for  a  programming  lan¬ 
guage  that  prohibits  abuses  of  one-way  functions,  as  in  Fig¬ 
ure  1,  yet  recognizes  legitimate  downgrading  by  them  in 
other  situations.  This  paper  describes  such  a  set  of  condi¬ 
tions  via  a  type  system.  Further,  we  need  a  sense  in  which 
these  conditions  are  sound.  They  are  certainly  not  sound 
with  respect  to  Noninterference  [7]  due  to  downgrading. 
However,  they  are  sound  in  the  following  sense.  It  can  be 
proved  that  leaking  the  secret  contents  of  a  variable  h  using 
any  program  P  that  meets  the  conditions  is  as  hard  as  learn¬ 
ing  h  with  a  program  where  access  to  h  is  prohibited,  but  the 
program  can  access  f{h),  call  /  on  inputs  of  its  choice  and 
flip  a  coin.  And  deducing  h  in  this  context  clearly  amounts 
to  inverting  /(/j)  using  a  probabilistic  Turing  machine.  By 
the  one-wayness  of  /  then,  we  expect  P  to  succeed  with 
very  low  probability  in  polynomial  time,  for  sufflciently- 
long  and  uniformly-distributed  values  of  h. 

Informally,  we  reduce  the  problem  of  inverting  a  one¬ 
way  function  to  that  of  leaking  a  secret  h  via  a  well-typed 
program.  We  begin  with  a  well-typed  program  that  can  ac¬ 
cess  h  directly  and  show  that  its  low  computation  can  be 
simulated  by  a  program  with  no  references  to  high  vari¬ 
ables  except  in  calls  of  the  form  f{h)  and  in  comparisons 
of  the  form  f{h)  =  f{r),  for  a  high  read-only  variable  r. 
The  latter  comparisons  are  then  eliminated  by  an  indepen¬ 


dent  random  variable  whose  distribution  is  governed  by  the 
collision  resistance  of  /  with  respect  to  the  well-typed  pro¬ 
gram’s  input  distribution.  (It  is  irrelevant  that  we  may  not 
know  the  distribution  because  the  reduction  only  relies  upon 
its  existence.)  The  result  is  a  program  that  uses  /,  /  (h),  and 
an  independent  random  variable  to  simulate  the  well-typed 
program’s  low  computation  with  at  least  the  same  proba¬ 
bility  of  success  and  with  at  most  a  constant  increase  in 
time  complexity.  Therefore,  any  bound  on  the  probability 
of  finding  h  from  f{h)  within  polynomial  time  can  apply  to 
the  probability  of  leaking  h  with  a  well-typed  polynomial¬ 
time  command.  This  is  a  security  property  that  applies,  for 
instance,  to  the  simple  password  checker  above. 

2.  The  language  and  semantics 

A  program  is  expressed  in  an  imperative  language: 

(expr)  e  ::=  x  \  h  \  n  \  /(e)  |  f(h)=f(r)  \ 
61+62  I  6i  <  62  I  6i  =  62  | 

6i  &  62  I  6i  >  62  I  (6i  |  62) 

(cmds)  c  ::=  skip  |  x  :=  e  \  ci;c2  | 

if  6  then  ci  else  62  |  while  6  do  c 

Metavariable  x  ranges  over  identifiers  that  are  mapped  by 
memories  to  integers,  n  ranges  over  integer  literals,  /  is  a 
function  mapping  integers  to  integers,  and  h  and  r  are  read¬ 
only  variables.  There  are  three  bitwise  operators  (&,  |). 

Integers  are  the  only  values;  we  use  0  for  false  and  nonzero 
for  true. 

A  standard  transition  semantics  for  the  language  is  given 
in  Figure  2.  It  is  completely  deterministic  and  defines  a 
transition  function  — >  on  configurations.  A  memory  p  is 
a  mapping  from  variables  to  integers.  A  configuration  is 
either  a  pair  (c,  p)  or  simply  a  memory  p.  In  the  first  case, 
6  is  the  command  yet  to  be  executed;  in  the  second  case, 
the  command  has  terminated,  yielding  final  memory  p.  As 
usual,  we  define  k  — k,  for  any  configuration  k,  and 
K  — /t",  for  A:  >  0,  if  there  is  a  configuration  k'  such 
that  K  — k'  and  k'  — >  k” . 

Expressions  are  evaluated  atomically  and  we  extend  the 
application  of  p  to  expressions,  writing  ij{e)  to  denote  the 
value  of  expression  e  in  memory  p.  We  say  that  /t(/(e))  = 
/(/t(e)),  ii{ei  +  62)  =  p{ei)  +  and  so  on.  The  other 

expressions  are  handled  similarly.  Note  that  ij{e)  is  defined 
for  all  6,  as  long  as  every  identifier  in  e  is  in  dom{p). 

2.1.  Probabilistic  execution 

In  our  reduction  of  Section  4,  we  talk  about  the  prob¬ 
abilistic  simulation  of  a  command  with  respect  to  a  joint 
distribution  d  for  its  free  variables  (d  is  finite  for  a  given 
command  if  memories  are  mappings  to  A: -bit  integers  for  a 
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(no-op)  (skip,/i)  — )■  II 

(UPDATE)  X  G  dom{pi) 

{x  :=  e,ii)  — )•  p\x  :=  /i(e)] 

(SEQUENCE)  (ci,/i)  - )■  jj! 

(ci;C2,/i)  — )■  (c2,/i') 

(Cl,/x)  - )•  _ 

(ci;c2,/i)  — )■  (ci;c2,/i') 

(BRANCH)  ll{e)  ^  0 

(if  e  then  ci  else  C2 ,  n)  — >  (ci ,  ji) 

l^je)  =  0 _ 

(if  e  then  ci  else  C2 ,  /x)  — )■  (c2 ,  /x) 

(LOOP)  /i(e)  =  0 

(while  e  do  c,  /x)  — )■  /x 

/^(e)  0 _ 

(while  e  do  c,  /x)  — )■  (c;  while  e  do  c,  /x) 


Figure  2.  Transition  semantics 
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fixed  k).  A  simulation  may  need  to  flip  a  coin  but  this  occurs 
only  once,  at  the  start  of  an  execution,  and  therefore  we  can 
achieve  the  effect  by  introducing  an  independent  random 
variable  as  input  to  the  simulation.  Although  this  keeps  the 
simulation  deterministic,  it  still  calls  for  attention  in  the  se¬ 
mantics  because  the  input  variable  must  be  initialized  from 
a  probability  space  prior  to  execution,  apart  from  other  free 
variables  [1]. 

The  free  and  random  variables  of  a  command  can  be 
treated  uniformly  as  just  free  variables  if  a  command  is  rep¬ 
resented  as  a  discrete  Markov  chain,  the  states  of  which  are 
configurations  [5].  The  idea  is  to  execute  a  command  simul¬ 
taneously  in  all  memories  that  map  exactly  its  free  variables. 
For  each  such  memory  /r,  it  begins  execution  in  /r  with 
probability  d{ij).  An  execution  then  becomes  a  sequence 
of  probability  measures  on  configurations.  The  stochastic 
matrix  T  of  the  Markov  chain  in  this  case  is  trivial;  each 
row  of  the  matrix  is  a  point  mass.  That  means  there  is  no 
splitting  of  mass  after  execution  begins,  only  accumulation 
of  it  (cf.  pg.  337  of  [1]).  Each  measure  in  a  sequence  is 
determined  by  taking  the  linear  transformation  of  the  im¬ 
mediately  preceding  measure  with  respect  to  T.  See  [5]  for 
details. 

For  example,  execution  of  y  :=  is  given  in  Figure  3 
relative  to  a  particular  joint  distribution  for  the  four  possi¬ 
ble  memories.  We  say  that  y  :=  terminates  in  memory 
[a;  :=  0,  y  :=  1]  in  one  step  with  unconditional  probability 
5/8  and  in  [a;  :  =  1 ,  y  :  =  0]  in  one  step  with  probability  3  /  8 . 

As  another  example,  consider  the  loop 

while  a;  do  a;  :=  -la; 

whose  execution  is  given  in  Figure  4  for  a  particular  distri¬ 
bution.  Mass  accumulates  at  [a;  :=  0]  (or  ({},[a;  :=  0]) 
in  the  notation  of  [5])  in  the  final  step.  We  say  the  com¬ 
mand  terminates  in  [a;  :=  0]  in  three  steps  with  uncondi¬ 
tional  probability  1. 

In  general,  suppose  /r  is  a  memory,  c  has  free  vari¬ 
ables  xi, . . .  ,Xn  and  /ri, . . . , are  memories  with  do¬ 
main  xi, . . .  ,Xn  from  which  c  terminates  in  /r  in  at  most 
k  steps.  If  d  is  a  joint  distribution  for  xi, . . . ,  a;„,  then  we 
say  c  terminates  in  /r  in  A:  steps  with  unconditional  proba¬ 
bility  d(/ri)  H - h 

3.  The  type  system 

Following  previous  work,  the  types  are  as  follows: 

(datatypes)  t  ::=  L  \  H 

(phrase  types)  p  ::=  r  |  t  var  \  t  cmd 

The  data  types  are  just  the  security  levels  low  and  high.  The 
rules  of  the  type  system  are  given  in  Figure  5.  Here  7  is  a 
typing  that  maps  variables  (perhaps  read  only)  to  types  of 


the  form  r  var  or  r.  If  7(2;)  =  r  then  we  say  that  a;  is  a 
read-only  variable  in  7.  We  distinguish  h  and  r  as  special 
read-only  variables  in  that  7(/i)  =  H  =  7(r),  for  all  7. 

The  typing  rules  for  the  other  binary  operators  are  simi¬ 
lar  to  that  for  EQ.  Notice  that  where  downgrading  is  taking 
place,  specifically  in  rules  QUERY  and  IMAGE,  it  is  done 
with  respect  to  read-only  variables,  namely  r  and  h.  This  is 
key  to  getting  a  reduction.  It  is  these  two  rules  that  break 
traditional  Noninterference.  Rule  IMAGE  comes  in  handy 
when  typing  the  code  of  a  challenge-response  protocol,  in 
particular,  the  C  code  that  makes  up  the  GNU  implementa¬ 
tion  of  CHAR  It  allows  a  low  digest  to  be  computed  over 
a  challenge  and  a  secret,  the  concatenation  of  which  is  the 
value  of  h.  Rule  QUERY  is  useful  in  password-checking 
contexts.  More  is  said  about  these  applications  in  Section  5. 

Notice  that  the  code  in  Figure  1  is  not  well  typed.  Ex¬ 
pression  f{h  I  mask)  can  only  be  typed  using  rule  HASH, 
forcing  it  to  have  type  H  since  7(/i)  =  H  for  all  7.  But 
then  the  guard  of  the  conditional  has  type  H  while  its  body 
has  type  L  cmd  which  cannot  be  reconciled. 

4.  The  reduction 

The  basic  idea  is  to  show  that  every  well-typed  com¬ 
mand’s  low  computation  can  be  simulated,  with  at  most  a 
constant  increase  in  time  complexity,  by  a  command  whose 
only  references  to  high  variables  are  in  calls  to  /.  How¬ 
ever,  we  are  not  finished.  The  simulation  still  has  calls  of 
the  form  f(h)  and  /(r).  Instances  of  f(h)  can  remain  be¬ 
cause  they  form  the  input  to  a  command  (the  adversary)  for 
computing  h,  but  all  calls  /(r)  must  be  eliminated. 

We  begin  with  some  definitions: 

Definition  4.1  Memories  p  and  v  are  equivalent  with  re¬ 
spect  to  a  typing  7,  written  p  ~.y  v,  if  p(h)  =  v(h)  and 
p(x)  =  v(x)  for  all  x  where  ‘y(x)  =  L  var  or  ‘y(x)  =  L. 

Definition  4.2  We  say  that  c  is  a  low  command  with  respect 
to  7  if  the  only  occurrences  of  high  variables  in  c  with  re¬ 
spect  to  7  are  references  to  h  in  f{h). 

Definition  4.3  Given  a  joint  distribution  d  on  dom{'j),  we 
say  that  command  c'  is  a  low  probabilistic  simulation  of  a 
command  c,  relative  to  7  and  d,  if  c'  is  a  low  command 
with  respect  to  7,  and  if  c  terminates  in  p  in  k  steps  with 
unconditional  probability  q,  relative  to  d,  then  there  is  a 
memory  v  such  that  d  terminates  in  v  in  at  most  k  -\-l  steps 
with  probability  q' ,  q'  >  q  and  v  ~.y  p. 

We  will  need  the  following  lemma: 

Lemma  4.1  Suppose  c  is  a  well-typed  command  with  re¬ 
spect  to  7  and  that  it  has  no  occurrence  of  f{h)  =  /(r). 
Then  there  is  a  low  command  d  with  respect  to  7  such  that 
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Figure  3.  Execution  of  y  :=  as  a  sequence  of  measures 


(while  a;  do  a;  :=  ^x,  [x  :=  0])  :  | 
(while  a;  do  a;  :=  -<x,  [x  :=  1])  :  | 

; 

[x  :=  0]  :  i 

{x  :=  -la;;  while  a;  do  a;  :=  ^x,  [x  :=  1])  :  | 

; 

[a;:=0]  :  i 

(while  a;  do  a;  :=  ^x,  [x  :=  0])  :  | 

[a;  :=  0]  :  |  +  |  =  1 


Figure  4.  Execution  of  while  a;  do  a;  :=  -.a;  as  a  sequence  of  measures 


5 


(INT) 

(IMAGE) 

(QUERY) 

(CONST) 

(R-VAL) 

(EQ) 

(HASH) 

(SKIP) 

(ASSIGN) 

(COMPOSE) 

(IE) 

(WHILE) 

(BASE) 

(REELEX) 

(CMD“) 

(SUBTYPE) 


7  h  n  :  L 

7h/(/i)  :L 

7  !-/(/*)  =f{r)  :  L 

‘y(x)  =  T 

7  h  a;  :  r 

7(2;)  =  T  var 

■y  \-  X  :  T 

7  h  ei  :  r,  7  h  62  :  r 
7  h  ei  =  62  :  r 

7  h  6  :  r 

7  I- /(e)  :  T 

7  h  skip  :  H  cmd 

y(x)  =  T  var,  7  h  e  :  r 
7  h  a;  :=  6  :  r  cmd 

7  h  Cl  :  r  cmd,  7  h  62  :  r  cmd 
7  h  Cl ;  62  ■  T  cmd 

7  h  6  :  r,  7  h  Cl  :  r  cmd,  7  h  C2  :  r  cmd 
7  h  if  6  then  ci  else  C2  :  r  cmd 

y  \-  e  T,  y  \-  c  T  cmd 
7  h  while  6  do  c  :  r  cmd 

LCH 
PQ  P 

Tl  C  T2 _ 

T2  cmd  C  n  cmd 

y\-  p  :  Pi ,  Pi  C  p2 
y\-p:p2 


Figure  5.  Typing  ruies 
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for  all  jji  where  domlyii)  =  dom(^),  whenever  (c,  jf)  — )•" 
jf ,  there  is  a  jj,"  and  m  such  that  (c',  jf)  — jjt" ,  jf  ~-y 
fi"  and  m  <  n. 

A  proof  of  this  lemma  can  be  obtained  by  modifying  the 
proof  of  Theorem  5.1  in  [6]  in  order  to  treat  the  slightly- 
different  notion  of  memory  equivalence  used  here  and  to 
handle  /  calls  in  expressions. 

Finally,  the  reduction  is  given  by  the  following  theorem: 

Theorem  4.2  If  c  is  a  well-typed  command  with  respect  to 
7  and  d  is  a  joint  distribution  on  dom{'y),  then  c  has  a  low 
probabilistic  simulation  relative  to  7  and  d. 

Proof  There  are  two  cases,  one  where  c  has  no  instances  of 
ffh)  =  f{r)  and  the  other  where  it  does.  First  suppose  that 
c  has  no  occurrence  of  f{h)  =  f{r).  Then  let  c'  be  the  low 
command  given  by  Lemma  4.1  for  c.  We  can  show  that  c' 
is  a  low  probabilistic  simulation  of  c  as  follows. 

Let  d  be  a  joint  distribution  on  domiy-f)  and  let 

M  =  {p  \  dom{p)  =  dom(j)}. 

Suppose  c  terminates  in  a  memory  pink  steps  with  uncon¬ 
ditional  probability  q  relative  to  d.  Let  pi, . . . ,  pn  be  all 
memories  in  M  for  which  (c,  pi)  — p  for  some  j  where 
j  <  k.  Then 

q  =  d(pi)  -b  d(p2)  - h  d(pn). 

By  Lemma  4.1,  there  is  a  pi  and  to,  for  each  pi  such  that 
(c',  Pi)  — pi,  pi  ~.y  p  and  TO,  <  j.  Let  i/,  be  pi  such 
that  dom{oi)  contains  exactly  h  and  all  low  variables  of  7. 
Since  c'  is  low,  there  is  a  v)  such  that  {c' ,Vi)  — vf 
lyl  pi,  and  domlyvl)  =  domii/f),  for  i  =  1, . . .  ,n.  By 
transitivity  of 

p[  p'„. 

Therefore,  i/j  =  i/j  =  •  •  •  =  So  let  i/  =  i/J.  And 
c'  terminates  in  o  in  at  most  max(mi , . . . ,  nin)  steps  with 
unconditional  probability  at  least  q  if  for  any  memory  o' , 
whose  domain  contains  exactly  h  and  all  low  variables  of  7, 
c'  begins  execution  in  o'  with  probability 

Y. 


in  any  memory,  given  that  h  and  r  are  read-only  variables 
in  every  typing,  and  c  is  well  typed  under  7.  So  let  cj  and 
C2  be  the  low  commands  given  by  Lemma  4. 1  for  ci  and  C2 
respectively.  We  can  show  that  the  command  c'  given  by 

(if  X  then  cj  else  4);  X  :=  0 

where  X  is  an  independent  boolean  random  variable  not  in 
domiy-f),  is  a  low  probabilistic  simulation  of  c. 

Suppose,  relative  to  d,  that  ci  terminates  in  p  in  fewer 
than  k  steps  with  probability  qi  given  that  f{h)  =  f{r). 
Since  there  is  no  free  occurrence  of  r  in  ci,  it  also  termi¬ 
nates  in  p  in  fewer  than  k  steps  with  probability  qi  given 
that  f{h)  f  f{r)-  Therefore,  qi  is  an  unconditional  prob¬ 
ability  that  Cl  terminates  in  p  in  fewer  than  k  steps.  Like¬ 
wise,  suppose  C2  terminates  in  p  in  fewer  than  k  steps  with 
probability  q2  given  that  f{h)  f  f{r)-  Since  there  is  no 
free  occurrence  of  r  in  C2,  it  also  terminates  in  p  in  fewer 
than  k  steps  with  probability  q2  given  that  f{h)  =  f{r).  So 
q2  is  an  unconditional  probability  that  C2  terminates  in  p  in 
fewer  than  k  steps.  Therefore,  c  terminates  in  p  in  k  steps 
with  probability 

q  =  p-qi-\-{l-p)  ■q2 

where  p  is  defined  by 

Y 

{l^eM\f(p(h))^f(p(r))} 

From  above,  there  are  memories  i/(  and  1/2,  each  equiva¬ 
lent  to  p,  such  that  cj  terminates  in  i/(  in  fewer  than  k  steps 
with  probability  ,  C2  terminates  in  02  in  fewer  than  k  steps 
with  probability  ^2 ,  (/i  >  Qi  andg^  >  Q2-  By  the  transitivity 
of  ~.y,  i/j  ~.y  02  which  implies  i/J  =  i/j  since  neither  has 
in  its  domain  a  high  variable  of  7  besides  h. 

Now  if  (c'i,i/i)  — o'l,  for  some  j  and  oi,  then 
(c'i,i/i[W  :=  n])  — •=  ti]  because  X  does  not 
occur  free  in  cj .  Likewise  for  C2 .  And  if  c'  terminates,  it 
does  so  in  a  memory  that  maps  X  to  0.  Therefore,  take 
o  =  o'^\X  :=  0],  and  we  have  that  o'^\X  :=  0]  ~.y  p  since 
o'^\X  :=  0]  ~.y  i/j  and  i/(  ~.y  p. 

Finally,  the  unconditional  probability  that  c'  terminates 
in  o  in  at  most  A:  -I- 1  steps  is  the  probability  that 

if  X  then  cj  else  C2 

terminates  in  i/j  in  at  most  k  steps.  And  because  X  is  inde¬ 
pendent  of  domiy-f),  this  latter  probability  is  given  by 


Also,  max(mi , . . . ,  rrin)  <  k. 

Now  suppose  c  has  an  occurrence  of /(/j)  =  f{r).  With¬ 
out  loss  of  generality,  assume  c  has  the  form 

if  f{h)  =  f{r)  then  ci  else  C2 

where  ci  and  C2  have  no  instances  of  f{h)  =  f{r).  There  is 
no  loss  of  generality  here  because  /(/t)  =  /(r)  is  constant 


q'  =p-q'i-i-{l-p)-q'2 

if  for  any  memory  o',  whose  domain  contains  exactly  h  and 
all  low  variables  of  7,  c'  begins  execution  in  o'\X  :=  1] 
with  probability 

p  -  i  Y 
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Finally,  q'  >  q.  □ 

Suppose  7  is  a  typing  with  a  low  variable  I  in  its  domain, 
d  is  a  distribution  on  dom{'y)  and  c  is  a  command  for  copy¬ 
ing  h  to  I  that  is  well-typed  relative  to  7.  Now  suppose  we 
run  c  simultaneously  in  all  memories  whose  domains  are 
equal  to  dom{'~f)  for  p{n)  steps  according  to  the  input  distri¬ 
bution  d,  where  p  is  a  polynomial  and  n  is  the  length  of  the 
binary  encoding  of  a  memory.  And  suppose  that  after  p{n) 
steps,  c  terminates  in  a  memory  p  where  p{l)  =  p{h)  with 
probability  q.  By  Theorem  4.2,  there  is  a  low  command  c' 
that  terminates  in  no  more  than  p{n)  +  1  steps  in  a  memory 
1/  where  i/  ~.y  p  with  probability  at  least  q.  Furthermore, 
iy{l)  =  iy{h)  since  i/  ~.y  p.  And  because  c'  is  low,  it  has 
therefore  managed  to  find  h  without  any  high  variables  as 
input,  just  occurrences  of  f{h)  is  all.  This  brings  us  to  the 
following  Corollary: 

Corollary  4.3  Any  bound  on  the  probability  of  finding  h 
from  f{h)  within  polynomial  time,  for  a  particular  integer 
size  and  distribution  on  h,  also  applies  to  the  probability 
of  leaking  h  with  a  well-typed  command  in  polynomial  time 
with  respect  to  that  size  and  distribution. 

Notice  that  probability  p  in  the  preceding  proof  takes  into 
account  the  probability  that  h  =  r  as  well  as  the  collision  re¬ 
sistance  off.  Indeed,  we  would  expect  our  simple  password 
checker  to  be  run  with  fairly  high  probability  in  a  memory 
where  h  =  r  if  h  stores  a  password  and  r  is  the  checker’s 
input.  The  reduction  says  that  any  well-typed  program  that 
attempts  to  exploit  this  fact  has  no  advantage  over  a  pro¬ 
gram  that  cannot  reference  h  or  r,  but  instead  can  access 
f{h),  call  /  on  inputs  of  its  choice  and  flip  a  coin.  The  one¬ 
wayness  of  /  is  treated  by  allowing  instances  of  f{h)  in  a 
low  probabilistic  simulation,  which  is  a  program  squarely 
within  the  realm  of  a  probabilistic  model  of  computation 
used  to  define  a  one-way  function  [4]. 

5.  Application  to  password  systems 

Consider  again  our  simple  password  checker 
b  ■■=  {f{h)  =/(r)) 

where  variable  h  stores  a  password,  b  is  an  output  variable 
and  r  is  the  input  to  the  checker.  Now  we  want  to  argue 
that  the  checker  is  secure.  We  begin  by  asserting  what  we 
know  about  the  free  variables.  Well,  since  the  output  of  the 
checker  is  public,  we  expect  b  to  be  low.  On  the  other  hand, 
h  stores  a  password  so  it  should  be  high.  Under  normal 
use  of  the  checker,  r  will  likely  store  the  contents  of  h,  and 
since  h  is  high,  we  assert  that  r  is  high  as  well.  Furthermore, 
the  checker  doesn’t  attempt  to  update  h  or  r  and  therefore 
is  well  typed  under  the  assumption  that  these  variables  are 


read  only.  So  the  checker  is  secure  in  the  sense  that  it  be¬ 
longs  to  a  class  of  programs  for  which  the  complexity  of 
leaking  h  rests  upon  the  intractability  of  inverting  /(/j)  for 
sufficiently-long  and  uniformly-distributed  values  of  h,  by 
the  above  Corollary.  The  checker’s  low  probabilistic  simu¬ 
lation  is  given  by 

(if  W  then  b  :=  1  else  b  :=  0);  X  :=  0 

where  X  is  the  random  variable  in  the  proof  of  Theorem  4.2. 

Now  suppose  passwords  are  stored  in  a  read-protected 
file  in  the  clear  as  in,  for  example,  a  secrets  file  for  CHAP 
(Cryptographic  Handshake  Authentication  Protocol)  widely 
used  by  PPP  In  this  case,  the  checker  becomes  just 

b  :=  {h  =  r) 

We  can  argue  that  this  checker  too  is  secure  using  the  re¬ 
duction  in  Theorem  4.2  where  we  assume  /  is  the  identity 
function.  But  this  assumption  requires  that  rule  IMAGE  be 
eliminated,  for  clearly  it  is  no  longer  sound.  This  means 
the  adversary  can  no  longer  access  the  “resource”  /(/j).  In¬ 
stead,  we  replace  this  form  of  access  to  h  with  a  new  form, 
namely  match{h,e),  which  is  true  in  p  if  p{h)  =  p{e).  It 
has  the  following  typing  rule: 

7  h  e  :  L 

7  h  match{h,  e)  :  L 

Again,  there  is  downgrading  taking  place,  as  in  rule  IMAGE. 
Whether  match  has  any  utility  from  the  standpoint  of  writ¬ 
ing  useful  programs  is  not  important.  What  is  important  is 
that  we  provide  the  adversary  with  the  resources  we  would 
realistically  expect  it  to  have.  In  the  case  of  one-way  func¬ 
tions,  the  adversary  expects  ffh),  but  with  /  treated  as  the 
identity  function,  it  now  becomes  the  ability  to  match  inputs 
of  the  adversary’s  choice  against  h  which  is  precisely  what 
match  provides. 

If  access  to  h  is  limited  to  match  queries  and  the  val¬ 
ues  of  h  are  uniformly  distributed  A: -bit  integers,  then  the 
probability  of  successfully  leaking  h  with  any  deterministic 
polynomial-time  command  containing  an  independent  ran¬ 
dom  variable  goes  to  zero  as  k  increases  [6].  If  rule  QUERY 
is  replaced  by  the  rule 

■y  \-  h  =  r  :  L 

then  the  second  checker  is  well  typed  in  the  modified  sys¬ 
tem,  and  is  therefore  secure  in  the  sense  that  it  belongs  to 
a  class  of  programs  for  which  the  complexity  of  leaking  h 
rests  upon  this  asymptotic  hardness  result,  by  Theorem  4.2. 

Finally,  to  say  something  about  the  password  system  as 
a  whole,  we  need  to  treat  password  updates  as  well.  A  pass¬ 
word  updater  for  h  is  given  in  Figure  6.  The  updater  expects 
the  old  password,  so  free  variable  old  is  asserted  to  be  a  high 


if  f{h)  =f{old)  then 

check  strength  of  new  password 
h  :  =  new; 

else  skip 

Figure  6.  A  password  update  program  for  h 

variable,  as  is  new  which  stores  the  new  password.  This  pro¬ 
gram  is  well  typed  in  a  different  type  system,  namely  that  of 
[7],  assuming  the  strength-checking  portion  is  well  typed. 
Therefore,  it  satisfies  a  Noninterference  property  which  is 
appropriate  for  this  program,  as  there  is  no  downgrading 
taking  place. 

The  results  here  can  also  be  applied  to  the  GNU  im¬ 
plementation  of  CHAP.  The  C  code  that  hashes  randomly- 
generated  server  challenges  with  a  shared  CHAP  secret,  us¬ 
ing  RSA’s  MD5,  is  well  typed.  That  tells  us  the  code  be¬ 
longs  to  a  class  of  programs  for  which  leaking  shared  se¬ 
crets  is  as  hard  as  inverting  16-byte  MD5  message  digests 
computed  over  random  challenges  and  sufficiently-long  and 
uniformly-distributed  CHAP  secrets.  It  is  really  only  in  this 
sense  that  one  can  argue  the  code  “protects”  the  confiden¬ 
tiality  of  shared  CHAP  secrets. 

One  final  word  is  needed  about  modeling  adversaries. 
We  can  identify  two  kinds  of  adversaries:  inside  and  out¬ 
side.  Inside  adversaries  write  programs  that  we  want  to  trust 
and  have  direct  access  to  secrets  like  h  and  r.  Outside  ad¬ 
versaries  write  programs  we  never  trust,  and  therefore  are 
denied  direct  access  to  secrets  through  some  sort  of  access 
control.  Each  adversary  has  a  typing  rule  where  downgrad¬ 
ing  occurs.  For  the  outside  adversary,  it  is  rule  IMAGE  (or 
the  rule  for  match  if  /  is  the  identity)  and  for  the  inside  ad¬ 
versary,  it  is  rule  QUERY.  Both  forms  of  adversary  should 
be  represented  in  a  computational  model.  One  could  argue 
that  the  work  in  [6]  does  not  treat  inside  adversaries  com¬ 
pletely  because  it  does  not  consider  a  rule  like  QUERY. 

6.  Conclusion 

This  paper  presents  syntactic  conditions,  via  a  type  sys¬ 
tem,  for  introducing  one-way  functions  into  a  programming 
language  with  more  flexibility  than  what  Noninterference 
allows.  These  conditions  are  sound  in  a  computational 
sense  and  allow  one  to  argue  for  the  security  of  some  sys¬ 
tems  where  downgrading  must  occur. 

Notice  that  functions  are  not  part  of  the  language  we 
considered.  That  means  commands  in  the  language  cannot 
call  other  commands.  Functions  pose  a  problem  since  A- 
bound  variables,  although  constant  in  a  function  body,  can 
be  bound  in  different  ways  through  different  function  ap¬ 
plications.  This  capability  breaks  the  reduction.  A  useful 


line  of  work  would  be  to  identify  conditions  under  which 
functions  could  be  introduced  securely. 
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